Htmlentities vs.addlashes与mysqli_real_escape_string [英] Htmlentities vs addslashes vs mysqli_real_escape_string
问题描述
我一直在阅读有关保护PHP应用程序安全的内容,在我看来,mysqli_real_escape_string
是在将数据插入MySQL表中时使用的正确函数,因为addslashes
可能会导致一些聪明的事情发生.攻击者.对吧?
I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string
is the correct function to use when inserting data into MySQL tables because addslashes
can cause some weird things to happen for a smart attacker. Right?
但是,有一件事使我感到困惑.我似乎记得要记住,在将用户输入的数据回传给用户以保护其数据时,建议addslashes
比htmlentities
更好,但似乎addslashes
是存在此漏洞的人.这是真的,还是我记错了?
However, there is one thing that is confusing me. I seem to remember being advised addslashes
is better than htmlentities
when echoing user-entered data back to users to protect their data, but it seems like addslashes
is the one with the vulnerability. Is this true, or am I remembering incorrectly?
推荐答案
您的数据有不同的上下文.将数据插入数据库的上下文与呈现html/xml或什至是电子邮件消息的上下文需要有所不同.
There are different contexts for your data. The context of inserting data into the database needs to be escaped differently than the context of rendering html/xml or even an email message.
转入db的转义数据应在所有新代码中弃用,而应使用已准备好的语句.告诉其他人的人都会给您带来极大的伤害.
Escaping data going into a db should be deprecated in all new code in favor of prepared statements. Anyone who tells you otherwise is doing you a great disservice.
根据目标,需要以多种不同的方式对进入浏览器的转义数据进行转义.有时htmlspecialchars就足够了,有时您需要使用htmlentities.有时您需要数字实体.您应该对此主题进行研究以了解所有细微差别.
Escaping data going to the browser needs to be escaped in a number of different ways depending on the target. Sometimes htmlspecialchars is enough, sometimes you need to use htmlentities. Sometimes you need numeric entities. It is a topic you should do some research on to know all of the nuances.
我所遵循的一般规则是验证(不是过滤器,如果不正确则拒绝)输入&转义输出(基于上下文).
The general rule I live by is validate (not filter, reject if incorrect) input & escape output (based on context).
这篇关于Htmlentities vs.addlashes与mysqli_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!